According to the spec https://tools.ietf.org/html/rfc6749#section-6 “The authorization server MAY issue a new refresh token, in which case the client MUST discard the old refresh token and replace it with the new refresh token. The authorization server MAY revoke the old refresh token after issuing a new refresh token to the client.”
It appears that in my Okta tenant, I am NOT getting back a new refresh token when I use the refresh_token grant type to get a new access token from the /token endpoint. Is this the default behavior of Okta? Is it configurable somewhere in the admin portal?